b'OFFICE OF INSPECTOR GENERAL\n\n\nAUDIT OF APPLICATION\nCONTROLS FOR\nUSAID/GLOBAL HEALTH\nBUREAU\xe2\x80\x99S FIELD SUPPORT-\nAID SYSTEM\nAUDIT REPORT NO. A-000-08-003-P\nJanuary 28, 2008\n\n\n\n\nWASHINGTON, DC\n\x0cOffice of Inspector General\n\n\nJanuary 28, 2008\n\nMEMORANDUM\n\nTO:                  Senior Deputy Assistant Administrator, GH/AA, Gloria Steele\n\nFROM:                AIG/A, Joseph Farinella /s/\n\nSUBJECT:             Audit of Application Controls for USAID/Global Health Bureau\xe2\x80\x99s Field Support-\n                     AID System (Report No. A-000-08-003-P)\n\nThis memorandum transmits our final report on the subject audit. We have considered your\ncomments on the draft report and have included your response in Appendix II.\n\nThis report contains two recommendations. The first is to help USAID improve application controls\nfor its Field Support-AID system. The second recommendation addresses unneeded roles to\nUSAID\xe2\x80\x99s core accounting system. Based on your response and the supporting documentation\nthat you provided with your comments, final action has been taken on both recommendations.\n\nI appreciate the cooperation and courtesies extended to my staff during this audit.\n\n\n\n\ncc: Controller GH/SPBO, Kristine Smathers\n\n\n\n\nU.S. Agency for International Development\n1300 Pennsylvania Avenue, NW\nWashington, DC 20523\nwww.usaid.gov\n\x0cCONTENTS\nSummary of Results ....................................................................................................... 1\n\nBackground ..................................................................................................................... 2\n\nAudit Objective .................................................................................................................. 3\n\nAudit Finding ................................................................................................................... 4\n\n     USAID Did Not Have\n     Formal Documented Access\n     Approval to FS-AID ..................................................................................................... 4\n\nOther Matters of Interest ................................................................................................7\n\n     Field Support-AID System\n     Administrator Has Unneeded\n     Roles in Phoenix ......................................................................................................... 7\n\nEvaluation of Management Comments ......................................................................... 9\n\nAppendix I \xe2\x80\x93 Scope and Methodology ........................................................................ 10\n\nAppendix II \xe2\x80\x93 Management Comments ....................................................................... 11\n\x0cSUMMARY OF RESULTS\nInformation technology application controls are fully automated controls designed to\nensure complete and accurate processing of data. Application controls vary based on\nthe business purpose of the specific application and help ensure the privacy and security\nof data transmitted between applications. (Page 2.) The Information Technology and\nSpecial Audits Division of the Office of Inspector General conducted this audit to\ndetermine if USAID had implemented application controls for its Field Support-AID\nSystem to mitigate the risk of mismanaging appropriated funds. (Page 3.)\n\nOverall, the audit determined that the application controls for the system were adequate,\nexcept that USAID did not formally document the approvals needed to access the\nsystem. For example, USAID implemented application controls that have certain edit\nchecks built into the system to help ensure that data is accurate. However, the lack of\nproper approvals to access the system means that unauthorized users could gain\naccess to sensitive information, thus increasing the risk of unauthorized use, loss, or\nmodification of the information. (Pages 4-6.)\n\nIn addition, the audit found that the system administrator had unneeded roles in Phoenix\n(the Agency\xe2\x80\x99s core accounting system) 1 . Specifically, he had input capabilities to the\nsystem when he needed only view capabilities to perform his job. As a result, he had the\nability to distribute and process funds for program and operating expenses, an ability\nwhich was incompatible with his job functions. (Pages 7-8.)\n\nThis report contains two recommendations. The first recommendation is to help USAID\nimprove its application controls over the system (Page 6.) The second recommendation\naddresses the unneeded access to USAID\xe2\x80\x99s core accounting system. (Page 8.)\n\nBased on USAID\xe2\x80\x99s response and the supporting documentation provided, final action\nhas been taken on both recommendations. (Page 9.)\n\n\n\n\n1\n  This particular finding was not tied directly to our audit objective. However, during our fieldwork\nthe issue was discovered and we felt it significant enough to report.\n\n\n                                                                                                   1\n\x0cBACKGROUND\nInformation technology (IT) application controls are fully automated controls designed to\nensure the complete and accurate processing of data, from input through output. These\ncontrols vary based on the business purpose of the specific application and help ensure\nthe privacy and security of data transmitted between applications. Categories of IT\napplication controls may include:\n\n\xe2\x80\xa2       Completeness checks - Controls to ensure that all records were processed from\n        initiation to completion.\n\n\xe2\x80\xa2       Validity checks - Controls to ensure that only valid data are input or processed.\n\n\xe2\x80\xa2       Authentication - Controls to ensure that only authorized programs can read the\n        data.\n\nField support is the process by which USAID missions \xe2\x80\x9cbuy in\xe2\x80\x9d to centrally awarded\ncontracts, cooperative agreements, and grants. For example, a mission may buy in to a\ngrant for a broad range of environmental issues as they apply to regional security,\nstability, and conflict. This method can help meet the needs of USAID missions where\n(1) indefinite delivery contracts are not available, (2) contract staffing is insufficient in the\nfield, or (3) a particular activity requires flexibility, and management of that activity more\nappropriately lies with the central bureaus. In fiscal year 2006, USAID missions obligated\nmore than $400 million through field support agreements.\n\nAccording to the system administrator, the field support process began in 1995, but the\nsystem used for tracking field support activity has changed over time. The system began\nwith e-mail exchanges and spreadsheets, evolved to a basic database, and eventually to\nthe current Web-enabled database system, called Field Support-AID (FS-AID).\n\nIn 2005 USAID interfaced FS-AID with Phoenix, USAID\xe2\x80\x99s core accounting system.\nAlthough Phoenix tracks expenditures, it has no budgeting capabilities and does not\ncontain sublevel expenditure categories. Thus, USAID bureaus 2 use the system to track\nbudget activity for field support by inputting planning, receiving, obligating, and\ncommitments data into the system. In addition, USAID uses information in the system for\nreports to Congress.\n\n\n\n\n2\n A bureau is a major organization unit of USAID that reports to the Office of the Administrator. A\nbureau administers complex and diverse programs involving a designated geographic area; major\npolicy, program and technical advisory services; or management and program support functions.\n\n\n                                                                                                2\n\x0cAUDIT OBJECTIVE\nThis audit was conducted to answer the following question:\n\n       Did USAID implement application controls for its Field Support-AID\n       system to mitigate the risk of mismanagement of appropriated funds?\n\nA description of the audit\xe2\x80\x99s scope and methodology is contained in Appendix I.\n\n\n\n\n                                                                             3\n\x0cAUDIT FINDING\nUSAID implemented application controls for its Field Support (FS)-AID system to\nmitigate the risk of mismanaging appropriated funds, but USAID did not formally\ndocument the approvals needed to access FS-AID.\n\nSpecifically, USAID implemented edit checks built to help ensure that data within the\nsystem is accurate. The controls included the following (among other things):\n\n\xe2\x80\xa2        Checks to ensure that the input field accepts the appropriate numeric format and\n         the required number of characters. For example, for the \xe2\x80\x9cCommit/Amend\xe2\x80\x9d field,\n         the system validates the amounts entered and field support requests selected.\n\n\xe2\x80\xa2        Completeness checks that identify missing data fields. For example, FS-AID\n         verifies that Strategic Objective values are not missing.\n\n\xe2\x80\xa2        Error and warning messages to indicate the type of problem encountered. For\n         example, when a commitment comes back from Phoenix as \xe2\x80\x9cFailed,\xe2\x80\x9d the system\n         provides a screen where users can view the error messages returned. In\n         addition, an event log records any error messages for processes that are not\n         seen by the user. System administrators can check this log to troubleshoot any\n         data errors and inconsistencies or unresponsiveness reported by users.\n\nHowever, USAID did not formally document the approvals needed to access FS-AID.\nThe following section discusses this issue in detail.\n\nUSAID Did Not Have\nFormal Documented\nAccess Approval to FS-AID\n\n    Summary: USAID did not formally document approvals needed to access FS-AID,\n    as required by National Institute of Standards and Technology Special Publication\n    (NIST) 800-12. According to Agency personnel, the FS-AID policy and procedures\n    manual, including the FS-AID Access Form, was never finalized. Because the FS-\n    AID system did not have proper access approvals in place unauthorized users\n    could gain access to the system and its sensitive information, thus increasing the\n    risk of unauthorized use, loss, or modification of the information.\n\nAccording to Section 10.2 of NIST 800-12, An Introduction to Computer Security:\n\n        Effective administration of users\' computer access is essential to\n        maintaining system security. User account management focuses on\n        identification, authentication, and access authorizations. This is\n        augmented by the process of auditing and otherwise periodically verifying\n        the legitimacy of current accounts and access authorizations.\n\n\n\n\n                                                                                         4\n\x0cAccording to NIST 800-12, authorization to access a system is granted, directly or\nindirectly, by the application or system owner.\n\nIn addition, according to the U.S. Government Accountability Office\xe2\x80\x99s (GAO) \xe2\x80\x9cStandards\nfor Internal Control in the Federal Government:\xe2\x80\x9d\n\n       Access to resources and records should be limited to authorized\n       individuals, and accountability for their custody and use should be\n       assigned and maintained. Periodic comparison of resources with the\n       recorded accountability should be made to help reduce the risk of errors,\n       fraud, misuse, or unauthorized alteration.\n\nAccording to the system administrator, access to the FS-AID requires a \xe2\x80\x9cRule of Two.\xe2\x80\x9d\nTwo members of USAID management must request access, stating the reason why\naccess is needed and whether read or write access is appropriate. However, the system\nadministrator also stated that there is no formal access authorization form. Instead,\nmission users are granted access to the system via e-mail requests. The system\nadministrator stated that he generally (but not always) keeps e-mails pertaining to\naccess by mission users. The system administrator does not require e-mail permission\nfrom USAID management for Washington users. Rather, the system administrator grants\naccess after receiving verbal permission from either the individual requestor or the\nindividual\xe2\x80\x99s supervisor.\n\nBased on a random sample of 50 from a list of 596 users, 34 (68 percent) did not have\ndocumented access rights. Specifically, of the 34 users, 15 could enter data into the\nsystem and 19 had read only access.\n\nAccording to the FS-AID system administrator, USAID management did not believe\nformal documented access was needed because (1) FS-AID is not a financial system\nand (2) the security set-up is a single sign-on application linked via USAID\xe2\x80\x99s network.\nHowever, although the aforementioned statement may be true, the FS-AID system\ncontains sensitive information and is linked to Phoenix. Therefore, proper access\napproval procedures are needed in order to protect data within the system from\nunauthorized users.\n\nNonetheless, according to the draft \xe2\x80\x9cAccess Control, Incident Response, and Security\nRisk Management Policies and Procedures\xe2\x80\x9d for FS-AID, to \xe2\x80\x9cobtain access to the FS-AID,\nan individual shall complete the FS-AID Access Form contained in the attached Adobe\nAcrobat File." However, USAID did not finalize and put that document into use.\nAccording to the system administrator, the document was drafted to demonstrate to the\nchief information security officer, Phoenix security team, and deputy chief financial\nofficer that FS-AID had effective security control measures in place so as to obtain their\napproval for the interface between FS-AID and Phoenix to be activated. However,\nUSAID officials decided to approve activation without that document. As such, an\nFS-AID Access Form was not prepared.\n\nBecause the FS-AID system did not have proper access authorization in place,\nunauthorized users could gain access to the system and its sensitive information, thus\nincreasing the risk of unauthorized use, loss, or modification of the information. Although\nno instances of unauthorized access were identified, the system administrator\n\n\n\n                                                                                         5\n\x0cdetermined that 9 of the 50 users (18 percent) in the sample no longer required access\nto the system. Thus, we are making the following recommendation:\n\n   Recommendation No. 1: We recommend that the Field Support-AID System\n   Owner document the approval procedures that authorize access to the Field\n   Support-AID system. At a minimum, these procedures should include the\n   requirement for formal documentation of access rights, approvals, and periodic\n   recertification.\n\n\n\n\n                                                                                    6\n\x0cOTHER MATTERS OF\nINTEREST\nAlthough this issue does not relate directly to the audit objective, it was identified during\naudit fieldwork and needs to be brought to the attention of USAID management for\ncorrective action.\n\nField Support-AID System\nAdministrator Has Unneeded\nRoles in Phoenix\n\n    Summary: Contrary to NIST 800-53, USAID\xe2\x80\x99s Field Support-AID system\n    administrator has unneeded roles in Phoenix, USAID\xe2\x80\x99s core accounting system.\n    This problem occurred because the system administrator was given these roles\n    during the Phoenix overseas deployment. These unnecessary roles gave him the\n    ability to distribute and process funds for program and operating expenses, an\n    ability which was incompatible with his job functions.\n\nAccording to appendix F of NIST Publication Special Publication 800-53, Recommended\nSecurity Controls for Federal Information Systems, the organization should establish\nappropriate divisions of responsibility and separate duties as needed to eliminate\nconflicts of interest in the responsibilities and duties of individuals.\n\nThe FS-AID system administrator is responsible for developing, implementing,\nmanaging, and operating information systems for field support activity. In addition, he is\nresponsible for providing technical leadership for data management tasks. However,\nbased on a query of Phoenix, USAID\xe2\x80\x99s core accounting system, the system\nadministrator has the ability to input information into Phoenix. Specifically, he was given\nroles that allowed him to:\n\n\xe2\x80\xa2       Distribute funds at the activity level for dollars appropriated for program and\n        operating expense funds.\n\n\xe2\x80\xa2       Process the funds for program and operating expense.\n\nAccording to the system administrator, those roles in Phoenix are not required to\nperform his job functions, which are to coordinate, facilitate, track and monitor\ncommitments. He affirmed that he needs only read-only access to help him perform his\nduties.\n\nAccording to the system administrator, he never used the aforementioned roles in\nPhoenix, and viewed information only to help him manage and track field support\nrequests and commitments. Moreover, a query of Phoenix showed that the system\nadministrator never processed transactions in Phoenix.\n\n\n\n\n                                                                                           7\n\x0cAccording to Phoenix Security officials, the FS-AID system administrator was given\nthese additional roles in the event his assistance was needed to create mission budgets\nat the activity level during the Phoenix overseas deployment.\n\nAs a result, the system administrator had the ability to distribute and process funds for\nprogram and operating expenses, an ability which was incompatible with his job\nfunctions. Upon being informed of this, the system administrator initiated a request that\nthose roles be removed. Nonetheless, we are making the following recommendation:\n\n   Recommendation No. 2: We recommend that the Controller in the Global Health\n   Bureau\xe2\x80\x99s Office of Strategic Planning, Budget & Operations review the Field\n   Support-AID system administrator\xe2\x80\x99s roles in Phoenix to determine which roles are\n   needed for his current job functions and, based on the results of that review,\n   make needed requests to the Phoenix Security team to modify those roles.\n\n\n\n\n                                                                                       8\n\x0cEVALUATION OF\nMANAGEMENT COMMENTS\nUSAID management concurred with Recommendations No. 1 and No. 2. Based on the\nresponse and supporting documentation provided, final action was taken on\nRecommendation No. 1 and Recommendation No. 2 upon issuance of this report.\n\nFor Recommendation No. 1, we recommended that the Field Support-AID System\nOwner document the approval procedures needed to access the Field Support-AID\nsystem. At a minimum, these procedures should require formal documentation of\naccess rights, approvals, and periodic recertification. In response, the Field Support-\nAID System Administrator Guide has been updated to require that (1) approval for\naccess to the database be documented and (2) an annual review of all user accounts\nbe conducted.\n\nFor Recommendation No. 2, we recommended that the controller in the Global Health\nBureau\xe2\x80\x99s Office of Strategic Planning, Budget & Operations review the Field Support-AID\nsystem administrator\xe2\x80\x99s roles in Phoenix to determine which roles are needed for his\ncurrent job functions and, based on the results of that review, make needed requests to\nthe Phoenix Security team, to modify those roles. In response, the Bureau for Global\nHealth and the Phoenix Security Team revised the Field Support-AID system\nadministrator\xe2\x80\x99s roles accordingly, and limited his access to the system for only those\nroles necessary to carry out his job functions.\n\nThe complete text of USAID\xe2\x80\x99s management comments (excluding the attachment) is\nincluded in appendix II.\n\n\n\n\n                                                                                          9\n\x0c                                                                            APPENDIX I\n\n\n\nSCOPE AND METHODOLOGY\nScope\nThe Office of Inspector General (OIG), Information Technology and Special Audits\nDivision, performed this audit in accordance with generally accepted government\nauditing standards. The purpose of this audit was to determine whether USAID\nimplemented proper application controls for the Field Support-AID system to mitigate the\nrisk of the mismanagement of appropriated funds. The reviews of application controls for\nthis audit were limited to the following points:\n\n   \xe2\x80\xa2   Data accuracy\n\n   \xe2\x80\xa2   Completeness checks\n\n   \xe2\x80\xa2   Validity checks of data\n\n   \xe2\x80\xa2   Verifiability of data\n\nAudit fieldwork was conducted at USAID headquarters in Washington, D.C, between\nMay 17 and October 10, 2007.\n\nMethodology\nTo answer the audit objective, we obtained and reviewed FS-AID documentation and\nconducted interviews with the FS-AID team. Specifically, we performed the following\nactions (among others):\n\n   \xe2\x80\xa2   Assessed a sample of application controls against the National Institute of\n       Standards and Technology Special Publications, U.S. Government Accountability\n       Office\xe2\x80\x99s \xe2\x80\x9cStandards for Internal Control in the Federal Government,\xe2\x80\x9d and the FS-\n       AID System Design Document.\n\n   \xe2\x80\xa2   Reviewed the overall process of the FS-AID application itself.\n\n   \xe2\x80\xa2   Reviewed a random sample of users to determine if user access had been\n       authorized. However, we performed only limited work to determine whether user\n       privileges on the system were consistent with the documented user\n       authorizations.\n\n   \xe2\x80\xa2   Followed up on other OIG audit reports that addressed FS-AID and its controls, as\n       appropriate.\n\nWe did not evaluate the field support process or assess the accuracy of the field support\nrequests and commitments, nor did we not set a materiality threshold for this audit.\n\n\n\n\n                                                                                      10\n\x0c                                                              APPENDIX II\n\n\n\nMANAGEMENT COMMENTS\n\n\n\nTO:          Director IG/A/ITSA, Melinda G. Dempsey\n\nFROM:        GH/SPBO Controller, Kris Smathers /s/\n\nSUBJECT: Bureau for Global Health\xe2\x80\x99s Response to the OIG\xe2\x80\x99s Draft\nReport Titled \xe2\x80\x9cAudit of Application Controls for USAID/Global Health\nBureau\xe2\x80\x99s Field Support AID System\xe2\x80\x9d (A-000-08-00X-P)\n\nThank you for the opportunity to respond to the Office of Inspector\nGeneral\xe2\x80\x99s (OIG) Draft Report Titled \xe2\x80\x9cAudit of Application Controls for\nUSAID/Global Health Bureau\xe2\x80\x99s Field Support AID System\xe2\x80\x9d (A-000-08-\n00X-P). The Bureau for Global Health (GH) has taken the following actions\noutlined below and is, therefore, requesting that the two recommendations\nbe closed upon issuance of the OIG\xe2\x80\x99s final audit report.\n\nRecommendation No. 1: We recommend that the Field Support-AID System\nOwner document the approval procedures for access authorization to the\nField Support-AID system. At a minimum, these procedures should include\nthe requirement for formal documentation of access rights, approval, and\nperiodic re-certification.\n\nGH concurs with the recommendation. The Field Support-AID System\nAdministrator Guide has been updated to require (1) documented access\napproval for the database and (2) an annual review of all user accounts.\nFurther, GH has designed and instituted an enhanced integrated electronic\nand paper record keeping system that will track and maintain supporting\ndatabase access approval documentation for all new and re-certified user\naccounts. (Please see pages 4-1 and 4-10 in the attached revised FS-AID\nSystem Administrator Guide.)\n\n\n\n                                                                       11\n\x0cOn this basis, GH requests that the recommendation be closed upon issuance\nof the final audit report.\n\nRecommendation No. 2: We recommend that the Controller of Operations\nin the Global Health Bureau\xe2\x80\x99s Office of Strategic Planning, Budget &\nOperations review the Field Support-AID system administrator\xe2\x80\x99s roles in\nPhoenix to determine which roles are needed for his current job functions\nand, based on that review, make needed requests to the Phoenix Security\nteam for modifications of those roles.\n\nGH concurs with the recommendation. The Bureau for Global Health has\ncompleted a review of the Field Support-AID system administrator\xe2\x80\x99s roles in\nPhoenix and determined that his current job functions require only the ability\nto make inquiries. In accordance with this review, the attached request was\nsubmitted to the Phoenix Security Team to revise the Field Support-AID\nsystem administrator\xe2\x80\x99s roles accordingly and the Phoenix Security Team has\ncompleted this modification in Phoenix.\n\nOn this basis, GH requests that the recommendation be closed upon issuance\nof the final audit report.\n\nGH would like to thank the OIG staff for their thoughtful insights during the\naudit that we believe have resulted in improved controls for the Field\nSupport AID System.\n\n\n\n\n                                                                           12\n\x0cU.S. Agency for International Development\n        Office of Inspector General\n        1300 Pennsylvania Ave, NW\n          Washington, DC 20523\n            Tel: (202) 712-1150\n            Fax: (202) 216-3047\n            www.usaid.gov/oig\n\x0c'